I think it is safe to say within cyber security and compliance it is not possible to be a master of all things, especially with how fast the industry and landscapes are evolving. I believe once people realise this and stop trying to be a jack of all trades but master of F-all, security will be vastly improved across the board.

Personally, I am not one for DIY, I can put up a shelf or hang a painting but my skills stop there and I accept this. I would much rather call in a joiner who is more qualified and has the tools and experience to do the work to a much higher quality, far more efficiently but importantly also comes with a far greater level of confidence in the outcome from the offset.

Security and compliance projects can be held in the same vein. For example, if you have to comply with PCI DSS you could spend a long time reading books and articles around your perceived current status and infrastructure, with a fairly high potential to misunderstand or get something wrong; but get an expert involved and in a shorter timeframe you will have understandable advice around requirements and potentially how to descope elements, therefore minimising your requirements, reducing the costs and effort moving forward.  I am personally failing to see the downside of doing things this way, or am I missing something?

Let’s take a different security project which every company should be doing, training. You could ask the IT Manager, HR Manager or Risk and Compliance manager to come up with training material for standard security awareness. This area is broad but could involve: phishing, secure passwords, staying safe at home, remote working or social engineering to name a few. Out of the personnel named earlier, I feel that the IT Manager would be best placed, knowledge-wise, to put this together.

But do they have the time and the skills to put these topics into terms and a format that can be understood and engaging for staff? Probably not, or not in a decent timescale or budget when compared to getting in a professionally developed and maintained option from experts within the industry.

I have attempted a rough breakdown on costs below for the creation of 2 training videos for 50 staff.

IT Manager Salary – £45,675 – taken from Glassdoor average figures

2 full days of effort from the IT Manager per video created (research, developing, tweaking following feedback) – £725

1 day for review by HR manager/management – £161

A LMS system – based on looking at different viable options between £480 + VAT per annum for on-premise basic package, or £4 per user per month for cloud-based option, with user tracking and functionality. The quality and requirement vary greatly.

Year 1 rough estimated costs for 75 staff – between £1,366 + VAT to £4,486 + VAT.

This does not take into account extra costs for new servers and time configuring the LMS. Additionally, it does not include any updates to material required over the 12 months, any additional software needed for creation and assumes a level of competence from the IT manager. But let’s ignore these glaring holes for now!

To get training modules created and hosted by experts based on 75 staff would be roughly £5.00 per user per training video. So take 2 videos as before it would come out at £750 + VAT. Other very good options are out there that include the ability to perform training exercises and with more generic videos they start at £12 per user per annum for 75 staff, total cost £900 + VAT. There are differences between the two so getting the right one takes demos and discussions.

Both these options are kept up to date with recent findings and to any industry standards. Have been created to be engaging and deliver key points improving overall company security, reduce the risks and potentially lower any fines imposed in the event of a data breach.

Once again, I fail to see why a company would spend any time or internal resources attempting to develop their own training.

There are situations where getting experts in maybe isn’t the right option but with cyber security and compliance the ROI is sometimes easy to show, and I would say is one of the worse areas to get it wrong. I would personally say engage with people who know what they are talking about and can ensure that projects deliver what is intended in the first place.

To discuss your requirements and how to maximise the ROI on your security and compliance spend, please get in touch.

lee@yorcybersec.co.uk – 07552 634475

www.yorcybersec.co.uk